@ebarretto from ~ubuntu-security previously reviewed tpm2-tss internally - so am pasting that review here for completeness:
I've reviewed tpm2-tss 2.1.0-4 as checked into disco. This shouldn't be considered a full audit but rather a quick gauge of maintainability. tpm2-tss is TCG's (Trusted Computing Group) implementation of TPM2 Software Stack (TSS2). No CVE history Build-Depends: autoconf autoconf-archive debhelper docbook-xsl libcmocka-dev libgcrypt20-dev libtool pkg-config xsltproc postinst file on libtss2-udev_2.1.0-4_iall/DEBIAN/postinst No post/prm rm for libtss2-udev No postinst and post/pre rm for libtss2-dev and libtss2-esys0 No init scripts No systemd services No DBus services No setuid No binaries in PATH No sudo fragments Udev rule in libtss2-udev: # tpm devices can only be accessed by the tss user but the tss # group members can access tpmrm devices KERNEL=="tpm[0-9]*", MODE="0660", OWNER="tss" KERNEL=="tpmrm[0-9]*", MODE="0660", OWNER="tss", GROUP="tss" Test suite under test/. vTPM needed to run it, shouldn't be run against an actual TPM. test/unit/ - run during build test/helper, test/integration and test/tpmclient also available. No cron jobs Some warnings but nothing to worry dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy sbuild-build-depends-tpm2-tss-dummy dpkg-source: warning: extracting unsigned source package (tpm2-tss_2.1.0-4.dsc) Makefile-test.am:66: warning: variable 'ESYSCRY_LDFLAGS' is defined but no program or configure: WARNING: unrecognized options: --disable-maintainer-mode configure: WARNING: doxygen not found - will not generate any doxygen documentation configure: WARNING: unrecognized options: --disable-maintainer-mode debian/resourcemgr.xml:62: warning: failed to load external entity "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" debian/tpmclient.xml:62: warning: failed to load external entity "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" debian/tpmtest.xml:62: warning: failed to load external entity "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" # ERROR: 0 libtool: warning: relinking 'src/tss2-tcti/libtss2-tcti-device.la' libtool: warning: relinking 'src/tss2-tcti/libtss2-tcti-mssim.la' libtool: warning: relinking 'src/tss2-sys/libtss2-sys.la' libtool: warning: relinking 'src/tss2-esys/libtss2-esys.la' libtool: warning: remember to run 'libtool --finish /usr/lib/x86_64-linux-gnu' dpkg-gencontrol: warning: Depends field of package libtss2-dev: substitution variable ${shlibs:Depends} used, but is not defined dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy sbuild-build-depends-lintian-dummy sbuild-build-depends-tpm2-tss-dummy No subprocesses spawned Lots of memory operations, a quick look at them, they look safe Just a few file IO operations, they all look ok Lots of logging. A quick look at them, they look safe tpm2-tss make use of the following environment variables: ./test/integration/sapi-test-options.c:107: env_str = getenv(ENV_TCTI_NAME); ./test/integration/sapi-test-options.c:110: env_str = getenv(ENV_DEVICE_FILE); ./test/integration/sapi-test-options.c:113: env_str = getenv(ENV_SOCKET_ADDRESS); ./test/integration/sapi-test-options.c:116: env_str = getenv(ENV_SOCKET_PORT); ./src/util/log.c:159: char *envlevel = getenv("TSS2_LOG"); No privileged operations Encryption src/tss2-esys/esys_crypto_ossl.c: make use of openssl crypto functions/structures and so on. To name a few: RSA, EVP MD. src/tss2-esys/esys_crypto_gcrypt.c: make use of libgcrypt functions/structures to calculate hashes/HMAC/RSA/ECC/AES and so on. Networking is used in TPM Command Transimission Interface (TCTI) module for interaction with the Microsoft TPM2 simulator. tcti-socket - TPM simulator TCTI library tcti-socket is a library that abstracts the details of direct communication with the interface and protocol exposed by the daemon hosting the TPM2 reference implementation. The interface exposed by this library is defined in the “TSS System Level API and TPM Command Transmission Interface Specification” specification. No WebKit No PolicyKit Some shellcheck warnings for test scripts The overall quality of the code looks good, really mature as one would expect from a software stack. Security team ACK for promoting tpm2-tss to main. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1841595 Title: [MIR] tpm2-tss To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tpm2-tss/+bug/1841595/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs